03-05-2007 12:39 AM - edited 03-11-2019 02:41 AM
Hi
I am Hemant, We have pix 506e firewall, D-link ADSL dsl-502t and my IBM xseries 236 server.
I have fix static live ip 59.181.103.220 which i have got ISP (MTNL), and the same ip is given in fqdn in http://www.net4india.com (a company from where we have registered domaim name and taken space)
My problem is i am not able to send mail through my mail server (loyalindia.co.in)but i am receiving mails from any server.
My network design is as fallows:-
ADSL (WAN)59.181.103.220, ADSL (LAN)59.181.103.221. Pix 506e (out) 59.181.103.222, Pix 506e (in) 192.168.1.1. My domain mail server loyalindia.co.in (Exchange server) ip 192.168.1.2
I am tryied with (ADSL)natting and without natting but the problem is same.
If i am removing the pix 506e and directly connecting the server to adsl i am able to receive and send mails properly
anybody who can support me?.
03-05-2007 05:14 AM
Have you verufy the fixup smtp ?
If you use exchange with ESMTP protocol disable the fixup with no fixup smtp.
HTH
Roberto
03-07-2007 08:59 PM
Hi Roberto
I have given the command "no fixup protocol smtp" but it did not solved my problem.
Anyother command for pix which i can try. My network design is ok or it should be changed.
Design is as:
adsl (wan) 59.181.103.220,
adsl (lan)59.181.103.221,
cisco pix 506e (wan) 59.181.103.222,
cisco pix 506e (lan) 192.168.1.1,
Domain controler(loyalindia.co.in) mail server (Exchange 2003) ip is 192.168.1.2
is this network design ok
or i have to make some changes.
Please let me know. waiting for the reply.
Bye
03-08-2007 07:21 AM
hi hemant,
you need the follwoing on the pix,
static (inside,outside) tcp interface 25 192.168.1.2 25 netmask 255.255.255.255
access-list out_in permit tcp any interface outside eq 25
access-g out_in in interface outside
what this is doing ?
opening port 25 on pix's oustdie interface
the mx record of this mail server should point to the outside interface of the firewall.
hope this takes care of your issue.
Regards,
Sushil.
03-10-2007 04:58 AM
no" it did not solved my problem.
should i changed the mx record, fqdn ip (59.181.103.220) which is register with the dns.
My static live ip 59.x.x.220
My network Design is as:
adsl (wan) 59.x.103.220,
adsl (lan)59.x.103.221,
cisco pix 506e (wan) 59.x.103.222,
cisco pix 506e (lan) 192.168.1.1,
Domain controler(loyalindia.co.in) mail server (Exchange 2003) ip is 192.168.1.2
My config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname loyal
domain-name loyalfire.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 59.x.103.221 adsl
name 192.168.1.2 mail
access-list smtp_in permit tcp any interface outside eq smtp
access-list smtp_in permit tcp any host 59.181.103.222 eq smtp
access-list out_in permit tcp any interface outside eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 59.x.x.222 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location mail 255.255.255.255 inside
pdm location adsl 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 adsl 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http mail 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxx
: end
you wil get the idea.
Bye
03-10-2007 05:45 AM
Hi,
the conf. is ok.
The SMTP server is the 59.181.103.222 (the outside interface of the pix !).
P.S.:insert also the following conf. on the pix:
logging on
logging timestamp
logging monitor warnings
logging buffered warnings
logging trap warnings
no logging console
Regards.
03-10-2007 08:40 AM
Hemant,
I checked the DNS databases and found this-
- loyalindia.co.in is your domain, the MX record for it is mail.loyalindia.co.in which points to 59.181.103.220
Your current configuration on PIX, binds the mail server to use 59.181.103.222 (PIX WAN interface IP) to send outbound mails and recieve mails. That is fine. The reason your outbound mails might be failing is due to reverse-dns lookup. When the destination mail server does a reverse lookup for mail.loyalindia.co.in, it sees 59.181.103.220, however it is recieving the mails from 59.181.103.222 so it rejects the mail giving reverse-lookup failure error.
Here is what you need to do-
- Have the MX record IP changed to 59.181.103.222
This should solve your issues for outbound mails. Hope that helps.
Regards,
Vibhor.
03-12-2007 06:11 AM
But this ip is not live ip 59.181.103.222
It will work? or i have to purchased the new static ip.
I had also changed my network design with (Purchased) new static ip 59.181.111.159 which was not live and also did not solved my problem. It was not sending and receiving mails.
my design was as fallows:
MX record IP (FQDN) 59.181.111.159
adsl (wan) 59.181.103.220
adsl (lan) 59.181.111.158
pix 506e (out) 59.181.111.159
pix 506e (in) 192.168.1.1
domain mail server (exchange) ip 192.168.1.2
so what should i do? plz. let me know. waiting for the reply.
Bye.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide